Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RAT sigs from CrowdStrike Report

From: Y M <snort () outlook com>
Date: Wed, 16 Jul 2014 20:05:37 +0000
So as soon as started reading the CrowdStrike report 
(http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) I tried writing sigs 
for what's in the report, only to find out later that it had the sigs written already (face-palm). Lesson of the day: 
RTFM.
Not sure if these are already in the current ruleset.

Here is my shot at it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.4HRAT beacon request"; 
flow:to_server,established; content:"/search?"; http_uri; pcre:"/\/search[0-9]{5}?/"; fast_pattern:only; content:"h1="; 
http_uri; content:"&h2="; http_uri; content:"&h3="; http_uri; content:"&h4="; http_uri; metadata:policy balanced-ips 
drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100234; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT initial beacon request"; 
flow:to_server,established; content:"GET"; http_method; content:"/default/connect.aspx?"; http_uri; fast_pattern:only; 
content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 
5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; 
content:!"Content-Length|3A 20|; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100235; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT C2 registration"; 
flow:to_server, established; content:"POST"; http_method; content:"/default/connect.aspx?"; http_uri; 
fast_pattern:only; content:"ID="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 
20|Windows NT 5.1|29|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100236; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.3PARA RAT task request"; 
flow:to_server,established; content:"/getupdate/default.aspx?ID="; http_uri; 
pcre:"/\x3agetupdate\x3adefault\x2easp\x3fID=[0-9]{5}para1=\x2d[0-9]{8,10}para2=\x2d[0-9]{8-10}para3=\x2d[0-9]{2}/"; 
content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100237; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT beacon request"; 
flow:to_server,established; content:"/MicrosoftUpdate/ShellEX/KB"; 
pcre:"/\x3aMicrosoftUpdate\x3aShellEX\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  
content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100238; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; 
flow:to_server,established; content:"/Microsoft/errorpost"; 
pcre:"/\x3aMicrosoft\x3aerrorpost[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  
content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100239; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HTTPCLIENT C2 request"; 
flow:to_server,established; content:"/MicrosoftUpdate/GetUpdate/KB"; 
pcre:"/\x3aMicrosoftUpdate\x3aGetUpdate\x3aKB[0-9]{7}\x3adefault\x2easpx\x3ftmp=/" http_uri; fast_pattern:only;  
content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|Windows NT 5.1|29|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf; 
classtype:trojan-activity; sid:100240; rev:1;)
I guess some signatures can be made more generic.
YM                                        
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: